Nevertheless, Lewis remains vigilant. When data breaches or ransomware infections hit the news, Lewis uses them as teachable moments to remind employees of the importance of good security hygiene and meets with his IT team to make sure it’s prepared for similar attacks.

“When an incident occurs, we play it out in our environment by asking ourselves, ‘If we encountered that, how would we have handled it?’” Lewis says. “We go through scenarios, and that helps us identify other opportunities to harden our defenses.”

As threats evolve, more businesses realize that even with good security technology and policies in place, they’re still vulnerable.

Perhaps the best defense is a good offense. A preemptive strategy like the one taken by the Anaheim, Calif.-based grocery chain starts with asset discovery to assess the devices and data in need of protection, says Ovum senior analyst Eric Parizo. Businesses should then perform a risk assessment to understand their vulnerabilities, determine what attackers would value and locate weak spots.

“With cybersecurity, whether it’s small companies or Fortune 500 companies, there is no one single recipe for success,” Parizo says. “Every organization will have a unique set of risks. Because of that, every ­organization has to start with developing a ­holistic understanding of its own risks, and that will dictate which technologies and services are appropriate for their security.”

Yet even as each situation is unique, most companies will want to deploy endpoint security, next-generation firewalls and multifactor authentication, he says.

Cloud Demands Security Focus

Lewis and his IT staff recently reviewed Northgate Gonzalez Markets’ security architecture as it shut down its two data centers and migrated its virtual servers and storage to the Google Cloud Platform. With the IT infrastructure in the cloud, network security is more critical than ever, Lewis says.

With 42 locations in Southern California, the grocery chain, which specializes in Hispanic foods, relies on the network for credit and debit card transactions and Voice over IP calls. Its 7,000 employees also use it to access business applications, such as accounting, finance, warehousing, merchandising and transportation software, in Google Cloud.

To safeguard the network, the IT team relies on multiple cloud-based security tools, including Zscaler Internet Access, a web-based content filter that inspects network traffic and blocks users from accessing unauthorized or malicious websites, and Mimecast, an email security gateway that encrypts emails and blocks ransomware, malware and phishing attempts.

Lewis also deploys next-generation endpoint security software from CrowdStrike and subsribes to its threat intelligence service, which alerts the IT staff to emerging threats in real time.

Data is either an asset or a liability, and any information that is valuable to someone else is a threat to the organization."

“Data is either an asset or a liability, and any information that is valuable to someone else is a threat to the organization,” he says.

Lewis also hired a third-party threat-hunting service that monitors the network 24/7, analyzes the logs from the network security tools and mitigates threats when they arise, Lewis says. To guard against supply chain threats, he uses a security ratings service that analyzes the posture of Northgate’s third-party vendors and Northgate’s own network and provides a security score, much like a credit score for consumers.

Finally, twice a year, an independent auditor assesses the company’s security posture and recommends areas for improvement. “It’s an opportunity for us to test all the solutions we have in place,” he says.

In Washington state, Olympia Federal Savings likewise takes a multilayered approach to network security, but key to its strategy are three technologies and services: next-generation firewall protection, a network appliance and a managed service provider for intrusion detection and prevention services.

$150 per record lost or stolen

The Value of Multiple Security Partners

“There’s a benefit to having multiple vendors and different technology and sources of threat intelligence,” says Mike Bowen, the bank’s vice president and senior technology officer. “This kind of strategy provides multiple lines of defense to prevent data breaches.”

The eight-branch bank, known as OlyFed, must secure a data center with up to 100 virtual servers that house ­customer information.

The bank standardized on the PA-800 Series next-generation firewall by Palo Alto Networks, which p­rovides multiple se­curity features, including intrusion prevention, web content filtering and malware protection. It also subscribes to Palo Alto Networks’ WildFire service, which updates the firewall regularly with the latest threat protection.

The company uses several Fortinet security products in each office and at its Effingham, Ill., corporate headquarters. Those include FortiGate 60E next-generation firewalls and the FortiSandbox appliance, which uses artificial intelligence to detect malware and suspicious code and safely isolates them for evaluation.

“With our Fortinet devices, files go east and west across the network,” Petty says. “They can submit files or websites into our sandbox and detonate them to see if they are malicious. This way, we can get ahead of zero-day attacks.”

The company, which manages about 1,500 virtual machines in its data center and over 20,000 workstations across its customers’ offices, also deployed FortiAnalyzer, which correlates the logs from the FortiGate tools, providing greater network visibility.

More recently, Petty installed open-source security information and event management software, a central dashboard that aggregates the logs from the company’s security tools and IT infrastructure. It provides Heartland Dental with full visibility into the company’s threat posture, uses machine learning anomaly detection to uncover threats and sends alerts to the IT staff.

Heartland Dental has written scripts to automatically remediate threats. For example, if a scan discovers a computer has a virus, the tool can cordon the computer off from the network, so it doesn’t affect other devices.

“It’s one central place, so we can automate our response,” Petty says.